Apple Platform Security May 2022: Tap to Pay on iPhone, Express Mode scare mongers and other fun

Ahh springtime, flowers and the annual Apple Platform Security (APS) update. This year’s version has many Apple Pay housekeeping changes. Previous versions put everything Apple Pay in a single section. In keeping with Apple spinning out iOS 15 Wallet app as a separate identity, Wallet has its own separate section now, covering all the things Jennifer Bailey unveiled at WWDC21: hotel-home-office keys and ID in Wallet. The Apple Pay section adds a new category for Tap to Pay on iPhone with some interesting bits.

The Tap to Pay on iPhone servers manage the setup and provisioning of the payment kernels in the device. The servers also monitor the security of the Tap to Pay on iPhone devices in a manner compatible with to the Contactless Payments on COTS (CPoC) standard from the Payment Card Industry Security Standards Council (PCI SSC) and are PCI DSS compliant.

The Tap to Pay on iPhone server emits decryption keys to the Payment Service Provider after validation of the integrity and authenticity of the data, and after verifying that the card read was within 60 seconds of the card read on the device.

What’s interesting to me is that Tap to Pay on iPhone servers are providing a seamless payment reader experience in the same way that Apple Pay servers provide a seamless pay experience. It just works, from setup to use, the same tight integration allows payment service providers to focus on POS app development and forget about the hardware because Apple Pay takes care of everything. As Junya Suzuki tweeted recently, a lot of payment reader hardware is suddenly junk compared to what iPhone is providing with tight mobile integration and Tap to Pay servers on the backend. Now with Tap to Pay apps on the horizon, good thing that iOS 15 Wallet expanded the secure element max to 16 ain’t it?

Speaking of Wallet, this separate section covers all things “access credential” related (hotel-corporate-home-car-student ID) with App Clips suggested for provisioning multifamily home keys. Transit now includes eMoney cards (or is it e-Money, Apple seems confused about it just like Express Mode vs Express Transit) and IDs in Wallet is covered in detail. There is also an intriguing iOS 15.4 Wallet security tweak:

In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID, or passcode authentication is required before pass specific information including hotel booking details are displayed in Apple Wallet.

It sounds almost exactly what we already do with regular Apple Pay cards. Perhaps keys and passes only show a generic icon and checkmark with Express Mode with the double-click + authentication required for show details…it’s not very clear.

Speaking of Express Mode, ‘security experts’ are still scare mongering the masses with the tired old Russian security expert/Apple Pay VISA Express Transit exploit story that made the rounds last November, regurgitated by Forbes in the over the top scary sounding, and sloppily written (this is Forbes after all), “How hackers can drain your bank account with Apple and Samsung tap and pay apps“.

The whole security expert thing reminds me of what my uncle the doctor (who ran a medical research lab at Columbia University) used to say about his disdain for pharmaceutical companies, “They don’t want to cure you, they just want to keep ‘treating’ you with their medicines.” Human nature never changes. The gist is that EMV Express Transit Mode will always be a thorn in Apple Pay’s side because the security is up to the card companies.

The document is worth your time is you have any interest in Apple Pay and Wallet.

Dealing with a lost Wallet

Yusuke Sakakura writes:

As usual, I tried to get on the train using Apple Pay Suica at the ticket gate, but it didn’t respond at all and I got stuck. At first I thought it was because I was wearing a thick coat, so I held it up again, but there was no response … When I checked the Wallet app, all the credit cards and Suica were gone.

It sounds like he was using Suica on Apple Watch. Sakakura goes on to helpfully explain what can cause this and how to get your Wallet cards back. The most common cause for a lost Wallet is signing out of Apple ID. Another cause is turning off the passcode. As he points out, the notification warning when signing out of Apple ID or turning off the passcode is vague, it doesn’t specially say you are about wipe your credit cards and Suica from iPhone. Some users are not fully aware of the consequences and proceed, only to be rudely surprised when they find Wallet is empty.

In all cases it is easy to restore a lost Wallet. Sign-in to Apple ID, set a passcode, go to Wallet, tap + , tap Previous Card and re-add the listed cards. Suica is easier to re-add as there are no terms and conditions or security code steps involved. As always make sure iPhone has a robust network connection when adding Wallet cards.

Another issue to be aware of with Suica and PASMO is Express Mode deactivation without realizing it. This happens when iPhone Face ID has 5 false reads (easy to do when wearing a face mask), when Apple Watch is off the wrist, or when the iPhone side buttons are inadvertently pressed in a snug fitting pocket (often aggravated by the phone case).

One oddity I have encountered using Apple Pay Suica on Apple Watch is wrist band fit. Apple Pay Suica on Apple Watch works fine at the transit gate under layers of winter cloths but Express Transit is sometimes deactivated with a looser fitting band. I like wearing the braided sports loop but it tends to stretch over time and become loose compared with the snug fitting solo loop. On a recent trip I had to constantly enter the Apple Watch passcode as my winter coat sleeve layers pulled the loose fitting braided sport loop enough to fool wrist detection. From here on I’m sticking with cheaper, more reliable solo loop which never has this problem.

Here are some guides dealing with re-adding Suica and PASMO:

Transfer to a another device
Restore from a lost or wiped device
Safely remove Suica or PASMO

QR Vaccination Certificate iOS 15 Wallet support comes to Japan (Updated)

The Japanese Government Digital Agency released a QR Code COVID-19 Vaccination Certificate app for iOS and Android today, 2021-12-21. The iOS app has support for SMART Health QR Code certificates that can be added to iOS 15.1 Wallet iPhone and later.

The app requires a Japanese Individual Number Card (My Number Card) to issue a vaccination certificate which is linked to individual vaccination information. The process offers 2 options, domestic use and international use. Issuing a certificate is simple: select options, enter the user set My Number PIN and read the physical My Number Card. The International option requires a reading a passport number.

Users report success getting an issued certificate into Wallet but the process is somewhat manual. If you don’t get a Wallet prompt, do an in-app scan of the Smart Health QR Code to load it into Health and Wallet apps.

My own experience with the app was not good. I have vaccinations and a My Number Card, but get a 60910 error when I enter my PIN and read the card. Some My Number Card naming conventions, such as such as maiden + married names, or mixed English and Japanese are not accepted by the app for certificate issue.

The app support details explain this kind of issue can only be fixed with a visit to the city hall office where city officials update the registered My Number Card name information. The issue appears to affect more than a few people. The Digital Agency updated their website later in the day and told IT reporter Junya Suzuki that an app update is coming soon to address some unspecified naming issues, however the basic name limitations remain listed on the website and app.

We shall see…knowing my luck I’ll probably have go to to the local ward office records section anyway to get a real fix. I’ll report gory details later if I do.


UPDATE 2021-12-22
A number of issues have cropped up since the apps release. It seems that the Digital Agency subcontractor made mistakes, or failed to find them in their rush to get the Vaccination Certificate App out. Most likely there wasn’t proper subcontractor oversight or review, and iOS development appears to have taken a backseat to Android. The name issue is related to limitations in the current JP ePassport format. The timing is questionable as Japan is entering a gray zone regarding who should get booster vaccinations and when. Until that’s settled vaccination certificates are pretty useless for domestic use.

The list of issues so far:

  • The supported formats are ICAO VDS-NC and SMART Health Cards (SHC). Currently there is no support for EU DCC format which is widely used internationally (iOS 15.4 Wallet will support EU DCC, expect app support to follow).
  • Certificates are not added to Wallet automatically, it is done via an in-app scan of the SHC QR Code, not the VDS-NC one.
  • The app handles SHC code incorrectly and produces a SHC record that wrongly juxtaposes ‘family’ and ‘given’ names in Roman letters (fixed in v1.04 update).
  • Instead of reading ePassport data via NFC, the app uses OCR. Verification could be done with a NFC read of all ICAO MRTD (ePassport) information but the app does not do this. Instead the only requirement to get a passport read is a valid MRZ (machine readable zone) read of the birthdate that matches the birthday what gets read from the My Number Card.
  • JP ePassport format does not support maiden + married names (by design) and this is the given reason why OCR is used instead of NFC. The JP ePassport name limitation also the reason why the current version of the app refuses to issue vaccination certificates when the My Number Card contains such name combinations. (fixed in v1.08 update)

The Apple Pay whipping post

I suppose I should care about the latest ‘Apple Pay is evil’ brouhaha piece by CNBC “Apple is sticking taxpayers with part of the bill for rollout of tech giant’s digital ID card” by Hugh Son and Kif Leswing which appeared more or less at the same instant as “What Apple’s Secret DMV Contracts Tell Us” on Jason Mikula’s Fintech Business Weekly Substack newsletter.

But I don’t. In this age of shut up when we tell you to shut up big corporate and social media, I get suspicious when east coast journalists start trolling a big new ‘scoop’ at the same time. Why now and why these guys? Why do they ask the same questions? Do they hang out at the same bar and share story notes, or did somebody feed them the story and the sources? Both pieces outline some of the agreements Apple made with states and the restrictions/conditions Apple has in place to provide ID in Wallet for driver’s licenses.

When a story like this breaks from multiple outlets just before a service launch, and there is every indication Apple plans to release ID in Wallet with the iOS 15.2 update, I smell somebody’s agenda. A somebody who wants to upend Apple Pay’s ID in Wallet launch cart. This is the way to do it.

As Mikula is a former Goldman Sachs guy where he learned how to fleece things, he provides important context to the story that CNBC does not:

Multiple ID verification (“IDV”)…is big business — according to a company in the space, Mitek Systems, it was worth an estimated $7.6 billion in 2020 and will grow to nearly $16 billion by 2025. Socure, a company offering IDV services, just raised $450m at a $4.5 billion valuation — an increase in value of ~2.5x from earlier this year.

What Apple’s Secret DMV Contracts Tell Us

I wrote about iOS 15 ID in Wallet earlier this year:

There is another aspect to consider, one that Apple certainly won’t divulge: who manages and runs the backend centralized mobile ID issue service that plugs into Apple Pay servers…There has to be a partner service company that sub-contracts mobile ID issue services to participating state governments…somebody that does the heavy lifting of linking various state database servers to provide a centralized card issuing service so that Apple can provide a seamless ID add card experience. But it must be an independent entity that can provide the same set of backend ID issue services to other digital wallet platforms (Google Pay, Samsung Pay, etc.) at some point. Because if it is not an independent entity providing those services, Apple is inviting more claims that Apple Pay is a monopoly. It’s a mystery worth digging into.

Secrets of iOS 15 Apple Wallet

Beyond defining Digital Identity Credentials that are the key part of the ‘restrictive’ agreements between the states and Apple, there are no system details. Nada. Certainly nothing like the system diagram from the Japanese Ministry of Internal Affairs and Communications (MIC) English PDF document: First Summary Toward the Realization of Electronic Certificates for Smartphones, that outlines how the digital ID system architecture for the Individual Number Card (My Number) works. A white paper from Apple explaining how ID in Wallet works both on the device and in the cloud, is key to understanding how secure ID in Wallet is, and how restrictive the agreements are. Without one, Apple puts itself, and Apple Pay ID in Wallet at risk in the political environment that is state government contractor relations. Asking users to simply trust a black box doesn’t fly in this security risk adverse, privacy conscious age.

As nothing has been released yet, and we have no white paper or anything else from Apple, I think discussion is pointless at this point. Questions are a good thing but are CNBC and Mikula asking good questions? I think the sudden ‘we’re protecting the tax payers and good citizens’ angle is highly suspect when CNBC has been a highly partisan mouthpiece always on the side of establishment government and establishment corporate America… a media company who asked nothing about big pharma’s role in the COVID hysteria driven vaccination program for example, or why Pfizer etc. are exempt for any and all side-effects of their experimental vaccinations, all while demonizing the good citizens who want those questions asked.

After all, privatization of government services is so entrenched at this point nobody really questions it anymore. Wouldn’t it be better to ask why states want to sign up for ID in Wallet, what they want to get out of it and why, why, why? Could it be that states want a successful digital ID service people will actually use? Not sexy enough I guess. If you ask me, I think some government contractor in the IDV business, and their supporters, stand to loose out in a big way if ID in Wallet is a success and used some connections to slam a media outrage ball into Apple’s court. Let the games begin.

Japanese government lists dual SIM iPhone models ‘non compliant’ for emergency call issues

The Japanese Ministry of Internal Affairs and Communications (MIC) has listed 15 dual SIM iPhone models including iPhone 13 as “non-compliant” to government technical standards due to an inability to place emergency calls in certain dual SIM use situations. Apple posted a Japanese only support page on October 23 that acknowledges the emergency call issue when both data only SIM and voice call SIM are installed with a workaround: users need to make sure the SIM number in Mobile Data settings is a voice SIM in order to make emergency calls to 110/118/119 numbers (police, coast guard, ambulance).

Apple needs to fix this issue as quickly as possible. They should have caught it before iOS 15 shipped.